[Libreoffice-qa] Moztrap OpenID support - go for testing!

Yi Fan Jiang yfjiang at suse.com
Thu Oct 11 03:33:21 PDT 2012 

Hi,

I just seal the hole by disabling the duplicated email :) 
Yes...the email account backward-compatibility should be rethought.

@Rimas, would you help to try out that any methods 
can do the bad thing again? I need to make sure the current secure 
level takes effect.

Best wishes,
Yifan

>>> Yi Fan Jiang 10/11/12 6:18 PM >>>
Hi Rimas,

Ouch...great catch!! I'll definitely look into it.

Best wishes,
Yifan

>>> Rimas Kudelis <rq at akl.lt> 10/11/12 6:08 PM >>>
Hi Yifan!

2012.10.11 12:43, Yi Fan Jiang rašė:
> I have brought OpenID to Moztrap this week, the following is the test
> page for login:
>
> http://vm12.documentfoundation.org/openid/login/

thats awesome!

> I will update the main login page to add openid support next weekend
> if no critical issue found.
>
> Functions currently supported (testing required)
> ================================================
>
> * Based on EMAIL address, native login/Mozilla Persona/OpenID are all
> mapped to the same user in Moztrap now, so they should be seamlessly
> worked together. Those details as follows.
>
> - If you have a native registered moztrap user or ever used Mozilla
> Persona to login, and your openid provides an exact same EMAIL of such
> an account, the original user and openid user will be treated exactly
> identical.
>
> Actually you should feel nothing changed except inputting password is no
> longer needed :)

Great! Except here's a critical issue for you: I have just managed to
log on to MozTrap as you!!!

Here's the proof: http://i.imgur.com/eF0Cl.png .

In case you're wondering how I did this: I logged on to my weblog, set
my email in my profile to yfjiang at suse.com, and used its OpenID provider
to log in to the test website. Since I don't need to proove to my weblog
or the demo site that the email is indeed mine, I basically have full
control over MozTrap now. So, not a good thing. This needs some
rethinking. Most obvious option would be to use the OpenID URL (or
whatever it is that OpenID provides as the identifier) as id when
logging in using OpenID. This would also have a nice "side effect" that
the user could change their primary email, and still be able to log in
with the same user id and permissions.

Regards!
Rimas



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/libreoffice-qa/attachments/20121011/673acbac/attachment.html>

More information about the Libreoffice-qa mailing list